Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
Glitch effect
HomeResources
Superior Security Awareness Training is Developed with Research-Based Adult Learning Best Practices in Mind
Whitepaper
Dec 8, 2025

Superior Security Awareness Training is Developed with Research-Based Adult Learning Best Practices in Mind

Glitch effectGlitch effect
Glitch banner
Download the Full Report

The Human Element: The Psychology of Security

In cybersecurity, we often imagine the villains as shadowy figures hunched over glowing screens, hammering away at firewalls and ruthlessly stealing passwords. But the truth is both simpler and more unsettling—the “bad guy” doesn’t need to hack into your systems at all. All it takes is someone inside your organization to make a mistake.

Cybersecurity incidents related to the human element rarely stem from malice. They happen because of normal human psychology. For example, people are wired to respond quickly to perceived urgency, especially when a message appears to come from an authority figure when a deadline is looming. In fast-paced environments, the instinct to act fast can trump critical thinking. Likewise, people typically want to be helpful and cooperative; however, these seemingly positive traits are easily exploited with messages that appeal to trust, empathy, or the desire to please. Additionally, many people hesitate to admit when they’re uncertain and hide if they make a mistake. The fear of embarrassment, judgment, or disciplinary action is powerful and can lead well-meaning employees to conceal a mistake or try to fix a problem themselves, which often makes things worse. This combination of psychological triggers—urgency, helpfulness, and shame—can be expertly exploited by bad actors who understand that the softest target in any network is the human mind.

According to the 2025 Verizon Data Breach Investigations Report (Verizon, 2025), nearly 60% of breaches involve the human element: missteps like credential misuse, phishing clicks, or just good old-fashioned human error. Imagine a car manufacturer boasting about its world-class brakes, even though the majority of accidents still happen because drivers press the wrong pedal. That’s where we are with cybersecurity today. Our critical investments in security solutions can be easily circumvented in minutes by an employee's mistake.

Here’s the emotional reality most leaders don’t talk about: when those mistakes happen, employees aren’t just endpoints on a risk chart. They’re people. They’re fallible humans who feel embarrassed, ashamed, even afraid. They replay the pivotal moment over and over in their head, “Why did I click that link!? Why didn’t I notice!?” Meanwhile, the IT team scrambles, frustrated that no matter how many warnings they send out, it seems like the message is never received. 

This is precisely why Security Awareness Training (SAT) isn’t optional—it’s essential. Simply put, the goal of SAT is to educate learners in a way that leads to real security outcomes like lowering human risk and reducing the likelihood of security incidents. SAT should lead to lasting behavior change. To accomplish this, you want training that employees actually start (and complete!) and content they truly retain. SAT should catalyze behavior change that improves your security posture and leads to a culture where employees see security as valuable to the business rather than just "that thing IT keeps bugging us about.”

Unfortunately, the traditional SAT that most organizations know falls woefully short. It’s once a year. It’s boring. It’s compliance theater. And it treats employees like checkboxes instead of adults who want to do the right thing. When training feels irrelevant, people tune out, and mistakes keep happening. 


Why Traditional SAT Fails and What You Can Do About It

Imagine you're sitting at your computer rereading another email from your manager “gently” reminding you to complete your annual security training. You’ve procrastinated and avoided it for weeks now. You fixate on the word “mandatory,” as a feeling of dread rises within you, and you think about all the “real” work you actually need to get done today…

The sad fact is that most SAT feels like a chore. Long lectures. Static content. No follow-up. This kind of training is painfully misaligned with how adults actually learn. We know this because back in the 1970s, a pioneering educational researcher named Malcolm Knowles explained that adults learn differently from children. In contrast to “pedagogy,” which in Greek means “to lead the child,” Knowles introduced his adult learning theory known as “andragogy,” which identified specific principles for educating adult learners (1970; 1973).

Pedagogy assumes that young learners are dependent on the teacher for direction, knowledge, and evaluation. The instructor is the authority who dictates how the learning will occur in a top-down fashion. As you likely remember from grade school, this pedagogical approach typically relies heavily on lecture, rote memorization, and external motivation in the form of grades. Adults, however, aren’t just big children. Knowles made clear that adults require a distinct approach, and his insights remain as true today as they were when he introduced them over 50 years ago:

  • Self-Direction: Adults crave control over how they learn. They want to understand why they should learn something before investing effort.

  • Experience: Adults bring a lifetime of experience to their learning, and this experience is a valuable resource to capitalize on.

  • Relevance: Adults engage most when learning ties directly to real-world challenges and is relevant to their professional or personal lives.

  • Application: Adults prefer problem-centered approaches and want to learn things that they can apply immediately.

  • Intrinsic Motivation: Adults are motivated most by internal drivers. Learning should be rewarding, meaningful, and aligned with learners’ values and goals.

Furthermore, many of today’s popular behavioral science models are built on Knowles’ andragogic principles. For example, the Fogg Behavior Model (Fogg, 2009) says behavior occurs when motivation, ability, and a prompt align. Fall short at any one of these points, and change doesn’t happen. Similarly, the ADKAR Model (Hiatt, 2006) tells us that awareness is only the starting point of behavior change. Desire, knowledge, ability, and reinforcement must follow awareness for it to have an impact. Despite this information being readily available, most SAT programs never go beyond awareness—they simply present a bunch of information and stop there. But when it comes to adult learning, the “how” matters just as much as the “what.” When done right, your SATcan be more than informative; it can be transformative.


Effective SAT Keeps Adult Learning in Mind

Now that we know how adults learn best, let’s apply theory to the practice of SAT. Believe it or not, your employees really do want to learn how to keep the company safe. Since SAT is the most direct defense against human error, it follows that you want to provide the very best SAT possible. The good news is that there are evidence-based best practices for doing this. Let’s look at some of them now through the approach taken by Huntress Managed SAT:

  • Make it Engaging: Dry slide decks disengage learners; interactive stories fix their attention. When content is boring, employees multitask, zone out, and start texting. However, when your content is compelling, they tune in, curious about what’s going to happen next. In my review of Huntress Managed SAT, I saw that they present content in story-driven, animated episodes with relatable characters. This is by design—neuroscience shows that storytelling works because it is easier to remember events when they are part of an overarching narrative. The hippocampus, our brain’s storyteller, encodes narrative experiences more deeply than abstract facts (Fell, 2021).
  • Make it Interactive: With Huntress, interactivity is baked in. Instead of passive reading or watching followed by a tedious quiz, they ask questions throughout the learning experience. Learners make choices. They see consequences. It’s actual participation and genuine learning. The Huntress team also gamifies the SAT experience, incorporating leaderboards, streaks, and badges that encourage active participation and lead to higher levels of engagement and satisfaction (Azis et al., 2024).
  • Make it Consumable: We all know that attention spans are short. Unlike having one long annual or even quarterly training, Huntress regularly delivers short-form lessons throughout the year. Keeping things brief enables learners to easily digest and retain the information. Presenting it in an entertaining, animated format keeps things interesting and fun. Huntress also makes sure their lessons incorporate a variety of delivery methods (e.g., visual, auditory, reading, writing, and kinesthetic) designed to suit multiple learning styles (Fleming & Mills, 1992).
  • Make it Continuous: Annual training equals low retention. The “forgetting curve” wipes out knowledge before it can take hold. However, when information is presented and periodically revisited, it gets encoded in the brain and retained. Think of it like going to the gym—one intense workout a year doesn’t make you healthy. Consistency is more important than intensity or duration. You need to exercise a little bit regularly over time to get results. At Huntress, content is delivered at a regular cadence, which aids retention, reinforces behavior, and mitigates the erosion seen with annual-only programs (Smith & Scarf, 2017). Huntress drops new episodes regularly. Their realistic monthly phishing simulations reinforce lessons and boost detection skills. Behavior-based assignments trigger when risky activity is detected through their EDR and ITDR tools. Instead of a once-a-year burden, they make security an ongoing conversation that happens within a robust security ecosystem.
  • Make it Relevant: Most SAT is a catalog of canned content, much of which has become stale. But because threats evolve fast, Huntress doesn’t rely on a static library. Instead, they tap into their team of security experts who are actual practitioners in defending millions of identities and endpoints. As they spot new tactics in the wild, they translate them into training episodes and phishing scenarios in quick succession. Since attackers are innovating constantly, your training should do the same. This approach aligns nicely with adult learning theory, which suggests that adults engage most when learning is directly tied to real-world challenges and is relevant to their lives. Huntress leverages this principle by ensuring every lesson connects to authentic threats employees might encounter on the job (Clark, 2021). Additionally, Huntress provides instant feedback and situation-specific assignments based on actual behavior. In this way, they help correct risk as soon as an incident is triggered.
  • Reinforce It: When it comes to cybersecurity, many organizations are characterized by a culture of fear. Employees are afraid to make mistakes and afraid to report them. In contrast, Huntress empowers companies to build cultures in which employees don’t fear punishment for honest mistakes. When someone clicks a simulated phishing link, they don’t get humiliated; they get coaching. Like it or not, everyone makes mistakes, and Huntress chooses to see them as teachable moments. Punishing mistakes leads to secrecy and worse security. Positive reinforcement builds confidence while encouraging learners to report incidents, thereby strengthening overall security. Adult learning theory confirms this: Adults prefer learning things that help them solve real, immediate challenges, and they are motivated primarily by internal drivers like curiosity, purpose, and a desire for mastery (Moustafa et al., 2021).

Building a Culture of Security to Drive Better Outcomes

When SAT is done right, it doesn’t just change knowledge; it changes culture. Culture is the most powerful security control you have. Tools can fail. Processes can fail. But culture is collective behavior that lasts. Effective SAT isn’t just about compliance; it’s about mindset. I believe that Huntress helps you change behavior and build a culture of security by providing robust, diverse, and customizable training options grounded in adult learning best practices. 

In a strong security culture, employees don’t think of security as “that annoying IT checklist.” They think of it as part of their career and their lifestyle. They talk about it in the breakroom. They report suspicious emails without fear. This is how security transcends compliance and becomes resilience. 

Let’s be honest. No employee dreams of more training in their lives. Nobody wakes up excited to click through a security module. But when training is designed with respect for adult learners’ preferences, when it’s grounded in real-life experiences, and it’s delivered with mindfulness and creativity, something shifts. Employees lean in instead of hiding, and positive outcomes follow. 

So, imagine if you will, SAT that really works. SAT that people actually enjoy. It may sound like a fantasy, but it’s not—it’s a choice. A choice that Huntress makes possible with engaging, story-based episodes, realistic phishing scenarios, immersive threat simulations, just-in-time phishing defense coaching, and behavior-based assignments designed to be fun and memorable. All this while also remaining true to the goal of educating learners about security awareness, promoting more secure behaviors to reduce risk, and improving your organization's overall security posture.


References

  • Azis, M., Gul, A., & Bilgin, Ç. U. (2024). The evaluation of gamification implementation for adult learners: A scale development study based on andragogical principles. Education and Information Technologies, 29, 18591–18620. https://doi.org/10.1007/s10639-024-12561-x
  • Clark, D. (2021). Educating adult learners: Bridging learners’ characteristics and the learning sciences. In A. J. Pushpalatha & S. Rajabi (Eds.), Research in adult learning: Applying theory to practice (pp. 45–64). Springer. https://doi.org/10.1007/978-981-15-1628-3_4
  • Fell, A. (2021, September 29). Hippocampus is the brain’s storyteller. UC Davis. https://www.ucdavis.edu/health/news/hippocampus-brains-storyteller
  • Fleming, N. D., & Mills, C. (1992). Not another inventory, rather a catalyst for reflection. To Improve the Academy, 11(1), 137–155. https://doi.org/10.1002/j.2334-4822.1992.tb00213.x
  • Fogg, B. J. (2009). A behavior model for persuasive design. In Proceedings of the 4th International Conference on Persuasive Technology (pp. 1–7). ACM.
  • Hiatt, J. (2006). ADKAR: A model for change in business, government, and our community. Prosci Learning Center Publications.
  • Huntress. (2025, September 17). Mind the (security) gap: SAT in 2025 [Report]. https://www.huntress.com/resources/mind-the-security-gap-sat-2025?direct
  • Knowles, M. S. (1970). The modern practice of adult education: Andragogy versus pedagogy. New York, NY: Association Press.
    Knowles, M. S. (1973). The adult learner: A neglected species. Houston, TX: Gulf Publishing.
  • Moustafa, A. A., Herzallah, M. M., Abdallah, A. B., Moustafa, K., & El-Gayar, O. F. (2021). The role of user behaviour in improving cyber security: A behavioural science perspective. Frontiers in Psychology, 12, Article 782714. https://doi.org/10.3389/fpsyg.2021.561011
  • Murre, J. M. J., & Dros, J. (2015). Replication and analysis of Ebbinghaus’ forgetting curve. PLOS ONE, 10(7), e0120644. https://doi.org/10.1371/journal.pone.0120644
  • Smith, C. D., & Scarf, D. (2017). Spacing repetitions over long timescales: A review and a reconsolidation explanation. Frontiers in Psychology, 8, 962. https://doi.org/10.3389/fpsyg.2017.00962
  • Verizon. (2025). 2025 Data Breach Investigations Report: Executive summary. https://www.verizon.com/business/resources/reports/2025-dbir-executive-summary.pdf


Author

Joshua Stern, Ph.D. — Joshua Stern Educational Consulting

I am an adult learning and online education expert with 25 years of increasingly responsible professional experience in a variety of academic and corporate settings. After receiving my B.A. from the University of California Berkeley, I completed my M.A. and Ph.D. in Education at UCLA. My main area of interest is adult learning (andragogy), specifically as relates to online program design and delivery. My passion for education and belief in the transformative power of online learning have led me to dedicate my career to creating unique and engaging learning experiences for adults around the globe. For the past decade, I have been running Joshua Stern Educational Consulting. On a daily basis, I am fortunate enough to do what I love—helping organizations, large and small, create or improve their educational offerings.


See Huntress in action

Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC).
Share